Matthew Rosenquist presented on cybersecurity workforce opportunities. He discussed how future challenges will drive demand for cybersecurity professionals. The best organizations see security as continuous process of risk management and adaptation. There is currently a shortage of qualified cybersecurity professionals, with an estimated 2 million unfilled positions by 2017. Needed skills include both technical hard skills as well as soft skills. Experience and industry certifications are important for jobs. Resources like the NICE framework and CyberSeek can help students understand skills and job market insights.

1. Matthew Rosenquist
Cybersecurity Strategist
January 2017

2. Cybersecuritymaybefoughtwith
technology,butitispeoplewhotriumph.
Wemustinvestinthefuturegenerationsof
professionalswhowillcarryonthefight.

3. Agenda
 Introduction
 Future challenges in cybersecurity drive demand
 Industry best practices and perspectives
 Cybersecurity industry workforce opportunities
 Needed skills, training, and student resources
 Questions and Answers discussion

4. Biography
Matthew Rosenquist
Cybersecurity Strategist and Evangelist, Intel Corporation
25 years in the field of security, specializing in strategy, threats, operations, crisis management,
measuring value, communications, and establishing strategic organizations which deliver optimal
security capabilities.
As a cybersecurity strategist, he champions the meaningfulness of security, advises on emerging
opportunities and threats, drives industry collaboration, and advocates a sustainable balance of cost,
controls, and productivity across business, governments, and academic sectors.
• Consults globally to governments, academia, business, and cybersecurity professionals
• Built and managed Intel’s global Security Operations Center
• First Incident Commander for Intel’s worldwide CERT
• Managed security for Intel’s multi-billion dollar worldwide M&A activities
• Overseen internal platform security products and services
• Strategic planner for the Intel Architecture security playbook
• Unified synergies forming the 3rd largest global security product organization
• Conducted investigations, defended corporate assets, established policies, developed strategies to
protect Intel’s global manufacturing
Matthew is an outspoken evangelist and advocate of cybersecurity who delivers keynotes, speeches,
lectures, and has a significant social following of security technologists and global professionals.
4
Twitter: @Matt_Rosenquist
LinkedIn Blogs: https://www.linkedin.com/today/author/matthewrosenquist

5. FutureCybersecurityChallengesdrivedemand
5

6. Security Industry Needs Leadership
“...If security breaks down, technology breaks down”
Brian Krebs
Noted Cybersecurity Reporter

7. Innovation Drives Risk Convergence
New technology bridges the virtual and physical worlds,
to connect and enrich peoples lives

8. Rapid Shift of Skills in the Industry
Needed skills will change over
time, as security, privacy, and
safety evolve.
Strategies will evolve, to expand
what is possible, in order to align
with shifting expectations.
The next generation of security
professionals must understand
and be able to contribute to the
delivery of best-known-practices.

9. Evolving Landscape, Adversaries, and Battlefield
i
29countries
Have formal cyber
warfare units
i
63countries
Use cyber tools for
surveillance
i
$19billion
US 2017 proposed
budget for
cybersecurity
i
$6trillion
Cyber-crime impact
globally by 2021
i
200%increase
In cyber-crime in
the last 5 years
i
$3–$90trillion
Aggregate innovation impact
of cyber-risks by 2020
Hard-AttackDifficulty-Easy
IMPACT GOES FAR BEYOND
Cybersecurity costs
typically measured as part
of an incident
Actual costs of long term
impacts including lost
contract revenue, operational
disruption, devaluation of
trade name, loss of IP, rises in
insurance premiums,
increased cost to raise debt,
customer relationship impacts
%COST
~1%*
Source: US Tech Manufacturing Company Case Study , Deloitte
~99%
i
35%USpopulation
Healthcare records exposed
in 2015
i
400kNewMalware/Day
575 million unique
samples of malware exist
i
+2BillionUsers
4 billion users online by 2020,
up from 2+ billion in today
i
50-200BillionDevices
Connected to the
Internet by 2020
i
25+MillionApplications
Connected by 2020 creating
50x the volume of data
9

10. Changing Digital World
10
 Growing Number of Users: 4B connected people
More Users
New Devices
Innovative
Usages
Generating
Vast Data
Sensitive
Functions
Increased
Target Value
 New Devices Types: 50-200B IoT devices
 Innovative Usages and Access: 25M+ applications
 Creation of Vast Amounts of Data: 50 Trillion gigabytes
 Critical Functionality: Infrastructure, Defense, Transportation
Creates Targets with Increased Value

11. 4 Levels of Cybersecurity Impacts
11
Denial of Service (A)
• Access of customers
• Availability of data,
systems, & services
• DDOS network attacks,
ransom-ware data
locking attacks
Data Theft
& Exposure (C)
• ID Theft
• Privacy
• Data Breach
• Transaction data
• Database hacks,
skimming, lost
storage, keylogging
Monitor &
Manipulate (I)
• Internal-access
surveillance for
advantage
• Tamper / Manipulation
• Long-term data
gathering campaign
Own & Obliterate (C/I/A)
• Administrative ownership and control
• Capability of unrecoverable obliteration
• Strategic attack, undermining of org capability
Security Competency
Attacker Innovation
Attacks evolve over time
for different technology
and usages

12. Security Futures Summary:
12
1. Threats remain equitable to the growth and use of technology
2. Age of massive connectivity (ex. IoT, mesh, 5G/6G, blockchains, etc.) drives
opportunities (for good and bad – cyber threats will take advantage)
3. Society expectations raise for cyber security, privacy, and safety
4. Tipping points approach: threats to life-safety, cybercrime hyper-growth,
offensive cyberwarfare
5. Pendulum swings towards more security, ultimately settles for an optimal
balance (regulatory, nation-states, technology innovators/manufacturers)
6. Emerging data, devices, and services are targeted by Threat Agents
pursuing their objectives, driven by their specific motivations

13. Industrybestpracticesandperspectives
13

14. The Best Organizations
a
Seeks Optimal Risk
Risk management planning
Anticipates impacts
Balance Cost, Risk, & Usability
Adapts to shifting demands
Comprehensive Processes
Security as a continuous cycle
Continuous improvement process
Technology and Behaviors
Obstacles and Opposition
Leads into the Future
Clearly defines success
Plans for a sustainable future
Roles and accountability
Continuously adapting
14

15. Important Considerations…
15
Smarter vs More
Collaboration across security
functions improving effectiveness
Better IT choices & enablement
Properly balancing the risk, cost,
and usability constraints
Expectations Drive Change
Society’s expectations shift with
pain, impact, and inconvenience
Trust will be valued, demanded
Security, privacy, and controls will
align with greater impacts
Controls Must Adapt
Innovation intersecting emerging
attacks to keep pace with attackers
Static defenses are easy to defeat
Intelligence, analysis, and actions
must feedback to improve systems

16. Future Technology to be Designed with Security
Smart Security innovation must deliver more capable solutions
to keep pace with threats
Ubiquitous Security must protect data wherever it exists or is used,
for all parties and devices across the compute landscape
Trusted Technology and security providers must be trustworthy,
in the creation and operation of their products
Strong Products and services must be hardened to resist
compromise and make security transparent to users
Open Platforms and security standards must be open to
promote collaboration and accelerate adoption
Security must be
part of the design
for future
technology. Adding
security after, is no
longer sufficient or
sustainable
16

17. Cybersecurityindustryworkforceopportunities
17

18. Lack of Security Talent Hinders the Industry
The lack of qualified cybersecurity talent will greatly restrict
the growth and effectiveness of security teams.
Academia is working to satiate demand, an estimated 2
million unfilled cybersecurity positions by 2017, but it will
take time.
Result:
1. Salaries will continue to rise until demand is met
2. Headhunting and retention of top talent becomes
ruthlessly competitive
3. Leadership and technical roles in greatest demand
4. Outsourcing to MSSP’s and security firms will increase

19. Cybersecurity Workforce Shortage
o 1.5-2 million estimated unfilled positions by 2017
o Job postings rose 91% (2010-2014)
o Leaders and engineers in highest demand
o Professional Services, Finance, Defense and
Manufacturing are leading sectors
o Finance, Healthcare, and Retail are growing
fastest
o ‘Hybrid’ jobs are increasing, contributing to
demand

20. Neededskills,training,andstudentresources
20

21. Skills and Training
The best way to prepare the next generation of
cybersecurity professionals:
• Hard Skills (technical)
• Soft Skills (behavior)
• Experience (contextual)
• Job Market Insights (opportunity data)
Hard
Skills
Soft Skills
Experience
Job
Market
Insights
Navigate
to
Success

22. Soft Skills are Important
1. Dependability – Being dependable means that you do what you say you will, when you say you will. You can be trusted
to complete any task, and you will do it well.
2. Motivation – You should be able to motivate yourself to get tasks done, and take the initiative to find new ways to
improve upon not only yourself and your work, but also your organization.
3. Communication – This is one of those skills you hear about all the time, and that’s for a reason. Communication is the
key to any human interaction, especially in the workplace.
4. Commitment – Employers want to know that you’re not only committed to the company and your job, but to turning out
the best work you can, every time.
5. Creativity – Can you think about problems in a new and interesting way? Show your employer how.
6. Problem Solving – If you’re confronted with a problem, employers want to know that you will do everything you can to
fix it. Your creative skills will come in handy here.
7. Flexibility – Sometimes, your job is going to be a little like a roller coaster. Can you adjust to the chaos?
8. Teamwork – You’re not done with group work after graduate school. Working in a team is an essential part of almost
every job.
9. Leadership – You may not be a natural born leader, but can you step up and guide either a group of people or a process
if necessary?
10. Time Management – Ability to balance workloads and prioritize what gets done, in the face of many deliverables
http://www.nationalsoftskills.org/top-10-soft-skills-for-success/

23. Experience and Certification
Source: Burning Glass Technologies report -
Job Market Intelligence: Cybersecurity Jobs, 2015
Job Posting Requirements
35% Industry certifications
84% Bachelors degree or higher
83% 3+ years of experience
10% Security Clearance
Relationship between experience and certification
• Entry level certifications typically require less than 3 years
of experience
• Advanced certifications require at least 3-5 years
experience

24. Many, Many Certifications
GSLC: GIAC Security Leadership Management
GISP: GIAC Information Security Professional Management
GCPM: GIAC Certified Project Manager Management
GSEC: GIAC Security Essentials Security Administration
GCIH: GIAC Certified Incident Handler Security Administration
GCIA: GIAC Certified Intrusion Analyst Security Administration
GPEN: GIAC Penetration Tester Security Administration
GWAPT: GIAC Web Application Penetration Tester Security Administration
GISF: GIAC Information Security Fundamentals Security Administration
GCWN: GIAC Certified Windows Security Admin Security Administration
GPPA: GIAC Certified Perimeter Protection Analyst Security Administration
GCED: GIAC Certified Enterprise Defender Security Administration
GICSP: Global Industrial Cyber Security Professional Security Administration
GXPN: GIAC Exploit Researcher & Adv. Pen Tester Security Administration
GAWN: GIAC Assess & Audit Wireless Networks Security Administration
GCUX: GIAC Certified UNIX Security Administrator Security Administration
GMOB: GIAC Mobile Device Security Analyst Security Administration
GMON: GIAC Continuous Monitoring Certification Security Administration
GCCC: GIAC Critical Controls Certification Security Administration
GPYC: GIAC Python Coder Security Administration
GASF: GIAC Advanced Smartphone Forensics Forensics
GCFE: GIAC Certified Forensic Examiner Forensics
GREM: GIAC Reverse Engineering Malware Forensics
GCFA: GIAC Certified Forensic Analyst Forensics
GNFA: GIAC Network Forensic Analyst Forensics
GSSP-JAVA: GIAC Secure SW Programmer-Java Software Security
GWEB: GIAC Certified Web Application Defender Software Security
GSSP-.NET: GIAC Secure SW Programmer- .NET Software Security
GLEG: GIAC Law of Data Security & Investigations Legal
GSNA: GIAC Systems and Network Auditor Audit

25. NICE Framework
National Initiative for Cybersecurity Education framework (NCWIF)
http://csrc.nist.gov/nice/framework
• Reference resource defining cybersecurity work and a standardized set of
required tasks and skills.
• Designed to help organizations educate, recruit, train and retain a qualified
cybersecurity workforce.

26. Job Market Insights
CyberSeek.org - free interactive resource for cybersecurity
job seekers, sponsored by NIST, CompTIA, and NICE.

27. Job Market Insights
• Job locations & salary
• Openings concentrations
• Demand averages
• Titles and roles
• Certification prevalence
• Alignment to NICE
framework
• Career advancement
pathways

28. The Future of Cybersecurity Education is Bright
 Emerging challenges will drive the needs in
cybersecurity – Understand the market needs
 Employers will expect workers to know and apply
industry best practices and perspectives – Align
academics to the future expectations
 The roles are expanding for incoming
cybersecurity workforce – Prepare students for
the new roles
 Resources are emerging to assist academic staff
and graduates to understand the needed skills
and opportunities – Empower students to be self-
sufficient in tracking employment demands